MCEDT

The Medical Claims Electronic Data Transfer (MCEDT) Interface automates downloads and uploads of billing files to the Ontario Ministry of Health and Long term care.


EDT Client Setup


These instructions provided by OSCAR EMR , Carlos Yu  and Hagir of KAI Innovations, describe the required configuration steps in order to enable MCEDT client in your local development environment. The intended audience includes developers and system administrators.

Prerequisites

  1. You will need a tool for working with key stores. Use either Keytool that comes with Java below or use something like KeyStore Explorer:  http://keystore-explorer.sourceforge.net/
  2. You will require up-to-date MCEDT login credentials. You should be provided a set of credentials by the MCEDT conformance testing team.
  3. Designate additional doctors.  Any additional doctors need to designate the primary billing account to submit for them. The steps to do this are:
    - Visit https://www.edt.health.gov.on.ca/ and log into your account
    - Click the "Designee Maintenance" area to add a designee 
    - Click “Add a Designee” 
    - Enter the name and email address of the designee
     
    The designee will then receive an email asking them to confirm the designation. There will be a link for them to click in the email to confirm this. 
    An email response will then be sent to the designator to authorize permissions. The authorization steps are:
    - Click the link in the email or login to Go Secure normally
    - Click the “Designee Maintenance” area
    - Click “MC EDT” beside the designee name
    - Click the “Select All” button and then click “Save”
     

Once you have the items above, you should be ready to start working with the MCEDT service. In order to make a successful call you will need to carry out two setup steps: generate a keystore containing a private-public key pair and import MCEDT public certificate there. Once it’s done, the project must be configured to know where to locate the required files.

Create a Key Store using ONE of the two methods below

Creating Key Store with Java Keytool


 

1.  Generate /etc/tomcat7/mcedt.jks use what ever clinic information you want.  Both keypass and storepass need to be the same.  Here keypass is set to changeit and storepass is also set to changeit; if you use these password, you won't have to change the rest of the how-to as much. 

sudo keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3600 -alias mcedt -keypass changeit -keystore /etc/tomcat7/mcedt.jks -storepass changeit


You can check if you did it correctly with the following

sudo keytool -list -rfc -keystore /etc/tomcat6/mcedt.jks -storepass changeit


2. Clone ebs stubs.  Copy the go-pki_cacert.arm  file from the MCEDT source files edt-stubs/src/main/resources/from_ohip_web_site/Root Certificates/go-pki_cacert.arm and place it at /etc/tomcat7/
 
3. Adjust permissions.  Leave go-pki_cacert.arm as root:root but change the mcedt.jks to be read by Tomcat

sudo chown tomcat7.tomcat7 mcedt.jks


 check that the certificate file has not been corrupted

sudo md5sum go-pki_cacert.arm  #should give you  7aeb6e56334b893bab3e94d974880000 


4. Import the MOH certificate into the same keystore 

sudo keytool -import -trustcacerts -alias root -file /etc/tomcat7/go-pki_cacert.arm -keystore /etc/tomcat7/mcedt.jks -storepass changeit -rfc


 You can check if you did it correctly with the following

sudo keytool -list -rfc -keystore /etc/tomcat7/mcedt.jks -storepass changeit


5. Use your favorite editor to edit the properties for the clientKeystore in OSCAR 

sudo nano /var/lib/tomcat7/webapps/oscar/WEB-INF/classes/clientKeystore.properties


 Edit the following lines to conform to your settings

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=mcedt
org.apache.ws.security.crypto.merlin.keystore.file=/etc/tomcat7/mcedt.jks

(ALTERNATE) Creating Key Store with Key Store Explorer

After installing this tool, you will be prompted to install jurisdiction policy. For that, navigate to Oracle’s web site, download the policy zip, and use installer to point to that zip, and click upgrade button. Now you are ready to use the key store explorer tool 

1. Launch key store explorer
2. Create new keystore by clicking File > New > JKS and then Ok
3. Create a new key pair by clicking Tools > Generate Key Pair, then pick RSA algorithm and 2kb key size (2048)
4. You will be prompted to enter key pair certificate information. You can leave the default settings for 

Version: Version 3
Signature Algorithm: SHA-256 with RSA
Validity: 1 year
Serial No: Leave what’s there by default

5. Click the address book button and enter the name information. You can enter your information. This key will be used for signing the outgoing requests. Optionally, if you have an existing certificate, feel free to enter it into the keystore
6. Now click OK button twice. It will display “New Key Pair Entry Alias” screen. Specify a meaningful alias and click OK. 
7. Now enter the password. 
8. This completes the key pair generation:
9. Now import the MCEDT certificate by accessing Tools > Import Trusted Certificate. Then locate go-pki_cacert.arm file within MCEDT source files (edt-
stubs/src/main/resources/from_ohip_web_site) and click Import
10. KeyStore Explorer will display an info screen. Click “OK”
11. And OK again to confirm the certificate details
12. Click “Yes” to accept the certificate as trusted
13. Enter an alias (any alias would do):
14. This completes the import step
15. Now save the key store by clicking File > Save
16. It will prompt you for the keystore password.
17. Project configuration. After the key store has been setup, it’s necessary to configure the client. Please open clientKeystore.properties and update the properties below:

org.apache.ws.security.crypto.merlin.keystore.password=pass
org.apache.ws.security.crypto.merlin.keystore.alias=signatureAlias
org.apache.ws.security.crypto.merlin.keystore.file=/usr/dev/keystore.jks

Now open the ElectronicDataTransferClientTest and navigate to the newBuilder method. Modify the source code that specifies the keystore user and password, MCEDT credentials (token info, conformance key and service ID) appropriately:

OSCAR Settings

Regardless of which method you use to generate the keystore you will need to activate MCEDT in oscar.properties.

sudo nano /usr/share/tomcat7/webapps/oscar.properties

Adjust your file to have the following properties adjusting as necessary for your clinic

# MCEDT Settings

# turn on MCEDT
mcedt.enabled=true
# boolean flag that represents if the SOAP call details are logged, turn on for debugging
mcedt.logging.skip=false
# username used for reading keystore content
mcedt.keystore.user=mcedt
# password used for reading keystore content
mcedt.keystore.pass=changeit
# username placed into the user name token (i.e. service user name)
mcedt.service.user=<your mcedt credential email or that of your designee>
# password placed into the user name token (i.e. service pass)
mcedt.service.pass=<your mcedt credential password or that of your designee>
# MCEDT web service URL
mcedt.service.url=https://ws.ebs.health.gov.on.ca:1441/EDTService/EDTService
# MCEDT service conformance key (provided when registering for MCEDT)
mcedt.service.conformanceKey=[get this key from OscarEMR]  #it is a long string of characters
# MCEDT service ID (provided when registering for MCEDT)
mcedt.service.id=<number1>  #the primary billing number / designee which is loaded first 
#uncomment the next line if you are setting up a clinic with multiple providers all have given permission to a single designee
#mcedt.service.designated.ids=<number1,number2,number3,number4>  #will get you the files that belong to all the providers whose billing numbers are in the list.

TOMCAT_KEYSTORE_FILE=/etc/tomcat7/mcedt.jks
TOMCAT_KEYSTORE_PASSWORD=changeit
TOMCAT_TRUSTSTORE_FILE=/etc/tomcat7/mcedt.jks
TOMCAT_TRUSTSTORE_PASSWORD=changeit

Restart Tomcat and you are done!

sudo service tomcat7 restart